CVE-2023-39663
Description
MathJax v2.7.9 and earlier contain ReDoS vulnerabilities in two regex patterns, though the vendor disputes applicability because the regexes are not applied to user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MathJax v2.7.9 and earlier contain ReDoS vulnerabilities in two regex patterns, though the vendor disputes applicability because the regexes are not applied to user input.
Vulnerability
Description
CVE-2023-39663 describes two Regular Expression Denial of Service (ReDoS) vulnerabilities found in MathJax up to version 2.7.9. The issues reside in the pattern and markdownPattern regex components within MathJax.js. According to the GitHub issue report [2], these patterns exhibit exponential backtracking behavior when processing crafted strings, which can lead to excessive CPU consumption.
Exploitation
Prerequisites and Attack Vector
The vulnerable regexes are triggered when MathJax processes strings passed through MathJax.Message.Set() or MathJax.Localization._() [2]. An attacker who can supply a specially crafted message to these functions could cause a denial-of-service condition. The official description notes that the vendor disputes the CVE, asserting that the regular expressions are not applied to user input, thus there is no risk [1].
Impact
If exploitable, an attacker could trigger a ReDoS attack, causing the application to hang or become unresponsive due to high CPU usage. The impact is limited to availability, with no data access or privilege escalation.
Mitigation
Status
MathJax v2.x is in maintenance mode and users are encouraged to upgrade to MathJax v3, which does not contain these regex patterns [2]. No official patch is planned for v2. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mathjaxnpm | <= 2.7.9 | — |
Affected products
4- Mathjax/Mathjaxdescription
- osv-coords3 versions
< 0+ 2 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: <= 2.7.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Two regex patterns in MathJax.js contain nested quantifiers that cause exponential backtracking on crafted input, leading to ReDoS."
Attack vector
An attacker who can control the message string passed to `MathJax.Message.Set()` or `MathJax.Localization._()` can trigger a ReDoS attack by supplying a crafted input such as `"%{a:%0||||||||||||||||||||||||||||||||||"` [ref_id=1]. The `pattern` regex contains nested quantifiers that cause exponential backtracking when processing this input, leading to CPU exhaustion [CWE-1333]. The vendor disputes the finding, asserting that the regular expressions are not applied to user input [ref_id=1].
Affected code
The vulnerable patterns are in MathJax.js: `pattern` (`/%(\d+|\{\d+\}|\{[a-z]+:\%\d+(?:\|(?:%\{\d+\}|%.|[^\}])*)+\}|.)/`) and `markdownPattern` (`/(%.)|(\*{1,3})((?:%.|.)+?)\2|(`+)((?:%.|.)+?)\4|\[((?:%.|.)+?)\]\(([^\s\)]+)\)/`) [ref_id=1]. These are the two regex components cited in the issue report.
What the fix does
No patch is provided in the bundle. The issue report identifies the two vulnerable regex patterns in MathJax.js but does not include a fix [ref_id=1]. The vendor disputes the finding, stating that the regular expressions are not applied to user input and therefore there is no risk [ref_id=1]. Without a published fix, remediation would require either rewriting the regex patterns to avoid exponential backtracking or ensuring that only trusted, non-user-controlled strings are passed to the affected functions.
Preconditions
- inputAttacker must be able to control the message string passed to MathJax.Message.Set() or MathJax.Localization._()
- configThe application must be using MathJax v2.7.9 or earlier
Reproduction
Use `MathJax.Message.Set(["msg","%{a:%0||||||||||||||||||||||||||||||||||",5]);` or `MathJax.Localization._("123", "%{a:%0||||||||||||||||||||||||||||||||||");` to trigger exponential backtracking on the vulnerable regex patterns [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-v638-q856-grg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39663ghsaADVISORY
- github.com/mathjax/MathJax/issues/3074ghsaWEB
News mentions
0No linked articles in our index yet.